A major privacy and data protection law currently proposed in the U.S. is threatening to ban targeted advertising, according to ad leaders who found it could hobble digital ad markets.
The American Privacy Rights Act was introduced earlier this month and was debated in the House of Representatives this week, and advertisers and brands have missed the broader implications of the proposed law, ad leaders told Ad Age. The bill is a reaction to the “surveillance advertising” industry and privacy concerns around the collection of online data.
For advertisers and businesses, consumer information is the lifeblood of internet commerce and advertising, fueling the rise of social media, online retail, connected TV and other digital services.
The proposal is “quite terrible,” said Lartease Tiffith, executive VP for public policy at IAB, the digital advertising trade group. IAB advocates for the interests of internet advertising, but other groups have read the legislation and come away with a similar feeling—that the American Privacy Rights Act (APRA) would drastically curtail the advertising technology ecosystem.
“It is slightly unclear, but I think at minimum, it requires opt-in consent [from consumers],” Tiffith told Ad Age this week, “but even more, maybe even a total ban on the ability to have cross-site tracking and web browsing data being shared, and used, for targeted advertising.”
The “opt-in” factor is an important distinction for online advertisers, suggesting consumers must proactively consent to online tracking for advertising purposes. Apple went with an opt-in framework for its App Tracking Transparency rules, which forced developers to present consumers with an alert requesting their permission to use data for personalized advertising. The move upended how major apps, including Facebook, Instagram, YouTube, TikTok and Snapchat, provided advertising services.
Sensitive information
The APRA proposal is unclear on whether there is an opt-in requirement or opt-out because it depends on the reading of the language of the bill, Tiffith said.
Ad experts read parts of the bill pertaining to sensitive information and data and see a possible ban on sharing information for targeted advertising, according to Alison Pepper, executive VP, government relations and sustainability at 4A’s, the ad agency trade group.
“You go into the definition of ‘sensitive data,’” Pepper told Ad Age, “and you see it includes online browsing activity, which is the basis for a lot of targeted advertising.”
The proposal is “inconsistent,” though, on the question of opt-in versus opt-out, Pepper said. Tiffith pointed to sections of the bill that refer to “opt-out” mechanisms for targeted advertising, but there also is a clause that refers to “opt-in” requirements for sensitive data, which includes web browsing data.
A U.S. House committee held hearings about APRA and nine other privacy proposals this week. The hearing showed bipartisan support to pass laws that address everything from data brokers buying and selling data to children’s online health and safety.
“Americans have been feeling the threats that they have, as consumers, as business people and certainly for our children, for far too long,” said U.S. Rep. Jan Schakowsky in opening remarks at the hearing. “Consumers find that companies are tracking all of their data, where they go and who they talk to,” Schakowsky said. “All of these things are an open book right now because of Big Tech.”
The online privacy debate has been raging at least since the EU enacted GDPR in 2018. The California Consumer Privacy Act was part of a wave of statewide data initiatives that were enacted starting in 2020. The new rules have forced platforms such as Google and Meta, which owns Facebook and Instagram, to overhaul their ad tech infrastructure. This year, Google plans to follow Apple’s policies by deprecating cookies on Chrome. Cookies are one of the main ways publishers, brands and ad tech vendors gather information about internet users so they can serve up highly targeted ads and measure their effectiveness.
How Google’s post-cookie ad tech changes the industry
Now, APRA has the potential to yet again transform how online businesses, publishers and ad tech vendors work together. The proposal defines how companies can share data with third parties for targeted advertising.
No one unscathed
“It impacts everybody, I don’t think anybody can really say this is not a concern,” Tiffith said. “I think for advertisers this is a concern because essentially it’s cutting off one of the most efficient, matter of fact, the most efficient, marketing mechanism that they have.”
APRA is still winding its way through Congress, and it will likely face key alterations, as will the other privacy and online safety bills. A witness at this week’s hearings told Congress that parts of the Communications Act and Video Privacy Protection Act negatively affect TV. “[It] could unintentionally cause significant disruption to operational, marketing and advertising practices that have long served consumers well in the television marketplace,” Maureen Ohlhausen, co-chair of the 21st Century Privacy Coalition, said in opening remarks at the hearings. (Ohlhausen is a past commissioner and acting chairman of the Federal Trade Commission.)
Some rules remained vague, which could pose a problem for online ad markets and affect how businesses use data to provide services, Ohlhausen said.
“We think that interest-based advertising, which involves the delivery of advertisements based upon our customers’ consumption of our services,” Ohlhausen said in the prepared remarks, “should be included as a permissible purpose along with first-party marketing and contextual advertising.”
Recent news: What to know about new Made for Advertising rules
In Europe, Meta has become an example of how data regulations collide with internet advertising. Europe ordered businesses to obtain consent before running personalized ads, which forced Meta to create an ad-free subscription offering for its apps. EU regulators have fined Meta over its personalized ads business and data handling practices, leading to drawn-out court cases.
In Europe, GDPR made it mandatory to get “specific and informed consent” to collect marketing data, said Jamie Barnard, CEO of Compliant, the data compliance firm. “Companies have been forced to offer a nuclear ‘reject’ [option] alongside the classic ‘accept all,’” Barnard said, referring to the notices web users run into online. “So the opt-in is very real.”
Still, the ad tech industry is able to adapt to regulations, Barnard said. “I wouldn’t be too hasty in foretelling the end of targeted ads,” Barnard said of the U.S. proposal. “But it’s important to understand what it could mean for the industry.”
English 
Українська